[geeks] VPN Help needed...

[Mark Benson]

On 03/01/2008, Geoffrey S. Mendelson <gsm at mendelson.com> wrote:
> Well, I would do something a lot simpler assuming you can use Firefox.

I can't assume Firefox can be used, sadly. Some people use IE (I know,
I know), and are stuck to it, and I use Safari, ideally, and while I
could use the Mac version of Firefox 2.x, it sadly sucks really badly
in OS X at the moment.

What part of the setup makes this Firefox specific? Does the
independent proxy config just make it convenient to use it as a stand
alone client rather than modifying the Windows proxy settings (which
screw up everything in Windows that uses the Internet)? If this is the
case then people already using Firefox won't like it (potentially me,
although it won't bother me, and at least 2 other people) as that
would involve turning proxy support on and off all the time would it
not?

I have to keep in mind the majority of users are not tech-savvy, so
minimal intervention would be ideal after I've done an initial setup.

> 1. You set up a server behind the firewall that runs SSH.
>
>    The SSH server only accepts ssh version 2 connections with
>    DSA keys (no password or RSA version 1 key authentication).
>    It should use a nonstandard port. Have the router forward that
>    port to the server.
>
> 2. You set up a batch file on the user's computer that SSH's to the
>    server and logs on. SSH for Windows can be downloaded as part of
>    the Cygwin package, or there is a package of just the SSH and enough
>    Cygwin to run it.
>
>    You start SSH with the -D option and specify a port number let's
>    say 1080. Note that old versions of SSH support SOCKS4 (no DNS)
>    protocol, the new ones support SOCKS5 (DNS) too.
>
> 3. You set up FireFox to use localhost port 1080 as a socks server.
>
> 3a. You install an add-on called FoxyProxy, which will select the proxy
>     by a pattern, and use something like "http*://*.<workdomain>/*"
>     with a proxy of "127.0.0.1:1080".
>
> It's actually less complicated than it sounds. It also works on all *NIX
> type systems with a reasonably late SSH client.
>
> To me, the main advantage of doing this is that it is NOT two way,
> I can't sit at work and access your computer or LAN at home.

It's a good idea, and I'd never have thought of it myself. It's free
and I trust SSH, and it is, as you say, a pretty simple method to
setup. The issue it falls down on in my mind is that of the client
side and handling use of corporate and non-corporate access at the
same time and/or switching between the two. This will be run from
users 'home' machines, so interupting their regular web service is bad
clinko (don't ask what that is - I made it up =oP). Maybe I am not
understanding it right?

Thank you so much for the suggestion, I'm gonna think on it and I'd
greatly appreciate any more input anyone has, including Geoffrey.

--

Mark Benson